Issue metadata
Sign in to add a comment
|
Security: ChromeOS ff_debug command execution from crosh shell
Reported by
r...@rorym.cnamara.com,
Mar 5 2018
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Due to inadequate input validation in ff_debug [1], it is possible to break out of crosh and execute commands as the shill-scripts user Once the input validation has been bypassed, we can inject into a sed expression at [2]. This is similar to, and will likely be mitigated by the sed patches discussed in, https://crbug.com/817993 expr can be bypassed by using \| to perform an OR in the regex. The below payload will first bypass the expr filter (with the appended .*\\|.*wifi), followed by breaking out of the sed expression for command execution. The proof of concept will append a log line to /var/log/messages (visible in the browser by navigating to file:///var/log/messages) indicating the user id. The resulting command is executed as shill-scripts but with no other restrictions. [1] https://chromium.googlesource.com/aosp/platform/system/connectivity/shill/+/master/bin/ff_debug#93 [2] https://chromium.googlesource.com/aosp/platform/system/connectivity/shill/+/master/bin/ff_debug#114 REPRODUCTION CASE ff_debug -foo//;s^.^echo${IFS}EXPLOIT:${IFS}$(id)|logger^ep;s/.*\\|.*wifi VERSION ChromeOS Version 64.0.3282.169 (Official Build) (64-bit) Platform 10176.73.0 (Official Build) stable-channel eve Firmware Google_Eve.9584.107.0 Channel Stable Google Pixelbook
,
Mar 5 2018
,
Mar 5 2018
let me accelerate my sed sandbox changes
,
Mar 5 2018
these CLs change CrOS to have sed always run in sandbox mode: https://chromium-review.googlesource.com/949523 https://chromium-review.googlesource.com/949524 that should make this script vector (and all others involving sed) be non-issues. we should of course still do input validation in some form with ff_debug to avoid misbehavior in general.
,
Mar 5 2018
,
Mar 6 2018
The following revision refers to this bug: https://chromium.googlesource.com/aosp/platform/system/connectivity/shill/+/0d914da370add1c6ebe4ce7c0ee537ba19464357 commit 0d914da370add1c6ebe4ce7c0ee537ba19464357 Author: Ben Chan <benchan@chromium.org> Date: Tue Mar 06 13:07:31 2018 shill: simplify ff_debug to let shill validate debug tags instead shill already validates the debug tags in an org.chromium.flimflam.Manager.SetDebugTags method call. It doesn't provide much value to have ff_debug validate and shorten the debug tag expression. This CL simplifies ff_debug to simply pass the debug tag expression to shill. BUG= chromium:818527 TEST=Tested ff_debug on a DUT. Change-Id: Idfa45dbcc862564851581d451607812fb14fa833 Reviewed-on: https://chromium-review.googlesource.com/949763 Commit-Ready: Ben Chan <benchan@chromium.org> Tested-by: Ben Chan <benchan@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/0d914da370add1c6ebe4ce7c0ee537ba19464357/bin/ff_debug
,
Mar 6 2018
,
Mar 6 2018
Setting severity to High because I believe this first requires a browser sandbox escape. Please let me know if that isn't true.
,
Mar 6 2018
i think users can run this directly from crosh. but the escape is as the shill-scripts user which itself isn't (afaik) that useful as that account doesn't have access to anything other than sending whitelisted dbus requests (which crosh already allows). so this would require another priv escalation bug to be useful.
,
Mar 6 2018
This bug requires manual review: Request affecting a post-stable build Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 6 2018
,
Mar 6 2018
The following revision refers to this bug: https://chromium.googlesource.com/aosp/platform/system/connectivity/shill/+/6aff69ef137e7dff7d6c9897ee083bbbebe4b7f6 commit 6aff69ef137e7dff7d6c9897ee083bbbebe4b7f6 Author: Ben Chan <benchan@chromium.org> Date: Tue Mar 06 21:21:18 2018 shill: simplify ff_debug to let shill validate debug tags instead shill already validates the debug tags in an org.chromium.flimflam.Manager.SetDebugTags method call. It doesn't provide much value to have ff_debug validate and shorten the debug tag expression. This CL simplifies ff_debug to simply pass the debug tag expression to shill. BUG= chromium:818527 TEST=Tested ff_debug on a DUT. Change-Id: Idfa45dbcc862564851581d451607812fb14fa833 Reviewed-on: https://chromium-review.googlesource.com/949763 Commit-Ready: Ben Chan <benchan@chromium.org> Tested-by: Ben Chan <benchan@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> (cherry picked from commit 0d914da370add1c6ebe4ce7c0ee537ba19464357) [modify] https://crrev.com/6aff69ef137e7dff7d6c9897ee083bbbebe4b7f6/bin/ff_debug
,
Mar 6 2018
,
Mar 7 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/portage-stable/+/84e607abdb70d67ba84f8bab353b9db918df1504 commit 84e607abdb70d67ba84f8bab353b9db918df1504 Author: Mike Frysinger <vapier@chromium.org> Date: Wed Mar 07 04:19:26 2018 sed: upgraded package to upstream Upgraded sys-apps/sed to version 4.4 everywhere. BUG= chromium:817993 , chromium:818527 TEST=precq passes Change-Id: Ia66b09188fadca845e2ab3f68b05ae0fd637d62e Reviewed-on: https://chromium-review.googlesource.com/949523 Commit-Ready: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org> Reviewed-by: Chirantan Ekbote <chirantan@chromium.org> Reviewed-by: Micah Morton <mortonm@chromium.org> [delete] https://crrev.com/168c2647b03a6fb96144b24deb9a76dd095e89a3/sys-apps/sed/files/sed-4.1.5-alloca.patch [modify] https://crrev.com/84e607abdb70d67ba84f8bab353b9db918df1504/sys-apps/sed/Manifest [rename] https://crrev.com/84e607abdb70d67ba84f8bab353b9db918df1504/sys-apps/sed/sed-4.4-r1.ebuild [modify] https://crrev.com/84e607abdb70d67ba84f8bab353b9db918df1504/sys-apps/sed/metadata.xml
,
Mar 15 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/29c8fab0561dc26fdff2aab63f8e08754ff01cf1 commit 29c8fab0561dc26fdff2aab63f8e08754ff01cf1 Author: Mike Frysinger <vapier@chromium.org> Date: Thu Mar 15 07:48:36 2018 chromeos: turn on USE=forced-sandbox for mawk & sed We currently always turn this on for mawk via a bashrc, so this doesn't change behavior there. It just makes it easier to sync with Gentoo and drop our local patches (in the future). For sed, this is new behavior. We're disabling support for the e/r/w commands because (1) we don't care about them and have no known legit users and (2) they needlessly expose random shell scripts to attacks. BUG= chromium:817993 , chromium:818527 TEST=precq passes Change-Id: I2173bb02fb271c6c31400efc792ad0b5b01e87b4 Reviewed-on: https://chromium-review.googlesource.com/949524 Commit-Ready: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org> Reviewed-by: Mattias Nissler <mnissler@chromium.org> Reviewed-by: David Schneider <dnschneid@chromium.org> [modify] https://crrev.com/29c8fab0561dc26fdff2aab63f8e08754ff01cf1/profiles/targets/chromeos/package.use
,
Mar 16 2018
we've cherry picked back Ben's fix, but we'll want to let the sed change back in ToT. so i think we're set now.
,
Mar 17 2018
,
Mar 19 2018
,
Mar 26 2018
*** Boilerplate reminders! *** Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing. *********************************
,
Mar 26 2018
Thanks for the report! The VRP panel decided to award $500 for this, and downgraded the severity to Low, per comment 9. Cheers!
,
Mar 26 2018
Thanks!
,
Mar 26 2018
,
Jun 23 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 28
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Mar 5 2018